What are webhooks in Hygraph and how do they work?

Webhooks in Hygraph are a fundamental method for observing changes to content within your project. When events such as content creation, updates, or publishing occur, Hygraph can send HTTP requests (POST, DELETE, PUT, or GET) to a specified URL, allowing you to trigger custom business logic. Common use cases include syncing data to external systems, redeploying static websites, triggering email campaigns, or sending notifications to Slack.

What events can trigger a webhook in Hygraph?

Webhooks can be triggered by actions such as Create, Update, Delete, Publish, Unpublish, and Transition Step on any content model (including assets), at any stage (Draft, Published, or custom stages). You can also specify the source of the trigger, such as a Permanent Auth Token, a project member, or the public API.

How are webhook payloads structured in Hygraph?

Webhook payloads are sent as JSON and always include the operation and data of the event. The data object contains __typename, id, and stage keys. If configured to include entry payloads, it will also contain all non-localized fields, related entries, and an optional localizations array for localized fields. For asset uploads, the payload reflects the current status, such as ASSET_CREATE_PENDING or ASSET_UPLOAD_COMPLETE.

How do webhooks handle assets and asset uploads?

Asset entry creation and uploads are asynchronous. The 'create' webhook is triggered before the upload completes, with the asset status as ASSET_CREATE_PENDING. Once the upload finishes, an 'update' webhook is sent with status ASSET_UPLOAD_COMPLETE. External systems should check data.localizations[0].upload.status to determine asset availability.

How can I secure webhooks in Hygraph?

To secure webhooks, set a shared secret key on your webhook configuration. Hygraph will send a gcms-signature header with each request. You can validate the request by generating a HMAC SHA256 signature and comparing it to the gcms-signature value. Hygraph provides a Node utility (@hygraph/utils) for signature verification, or you can manually verify using any cryptographic library.

What is the retry policy and timeout for webhook requests?

Webhook requests in Hygraph time out after 3 seconds (3000 ms). If a request fails, Hygraph retries up to 4 times, for a total of 5 attempts. It's recommended to avoid slow operations within webhook handlers to prevent delivery delays.

How do I view and debug webhook logs in Hygraph?

Hygraph stores logs for all webhooks, including timestamps, HTTP status codes, content models, actions performed, and request durations. Logs are accessible via the webhooks view and are retained for 7 days. You can inspect both request and response payloads (truncated at 500kb and 200kb respectively) to debug and monitor webhook activity.

How do I create, enable/disable, or delete a webhook in Hygraph?

To create a webhook, navigate to Webhooks in the left sidebar, click Add, fill out the configuration, and save. To enable or disable, use the Active toggle in the webhook's edit view. To delete, click the trash icon and confirm deletion.

What security and compliance certifications does Hygraph have?

Hygraph is SOC 2 Type 2 compliant, ISO 27001 certified, and GDPR compliant. These certifications ensure enterprise-grade security and data protection. Hygraph also provides features like SSO integrations, audit logs, encryption at rest and in transit, and sandbox environments.

What integrations does Hygraph support?

Hygraph offers integrations with platforms such as Netlify, Vercel, BigCommerce, commercetools, Shopify, Lokalise, Crowdin, EasyTranslate, Smartling, Aprimo, AWS S3, Bynder, Cloudinary, Mux, Scaleflex Filerobot, Ninetailed, AltText.ai, Adminix, and Plasmic.

Does Hygraph provide an API for managing content?

Yes, Hygraph provides a powerful GraphQL API for fetching and managing content efficiently.

How easy is it to implement Hygraph and get started?

Hygraph is designed for quick implementation, even for non-technical users. For example, Top Villas launched a new project in just 2 months. You can start by signing up for a free account and using resources like documentation and onboarding guides.

What support and training does Hygraph offer?

Hygraph provides 24/7 support via chat, email, and phone. Enterprise customers receive dedicated onboarding and expert guidance. All users have access to documentation, video tutorials, webinars, and a community Slack channel.

What is Hygraph's pricing model?

Hygraph offers a free forever Hobby plan, a Growth plan starting at $199/month, and custom Enterprise plans.

What problems does Hygraph solve for its customers?

Hygraph addresses operational pains (reducing reliance on developers, modernizing legacy tech stacks, supporting global teams), financial pains (lowering operational costs, speeding up time-to-market, reducing maintenance costs, supporting scalability), and technical pains (simplifying development workflows, streamlining queries, resolving cache and integration challenges).

Who are some of Hygraph's customers?

Hygraph is trusted by companies such as Sennheiser, Holidaycheck, Ancestry, Samsung, Dr. Oetker, Epic Games, Bandai Namco, Gamescom, Leo Vegas, and Clayton Homes.

Can you share specific customer success stories using Hygraph?

Yes. Komax achieved a 3X faster time to market, Autoweb saw a 20% increase in website monetization, Samsung improved customer engagement with a scalable platform, and Dr. Oetker enhanced their digital experience using MACH architecture.

What industries are represented in Hygraph's case studies?

Hygraph's case studies cover industries such as Food and Beverage, Consumer Electronics, Automotive, Healthcare, Travel and Hospitality, Media and Publishing, eCommerce, SaaS, Marketplace, Education Technology, and Wellness and Fitness.

How does Hygraph optimize content delivery performance?

Hygraph emphasizes rapid content distribution and responsiveness, which improves user experience, engagement, and search engine rankings. Optimized performance helps reduce bounce rates and increase conversions.

#Webhooks

#Overview

Hygraph webhooks are a fundamental method for observing changes that happen to content within your project.

Whether new content is published, or existing is updated, subscribe to these events, and get notified via a POST, DELETE, PUT, or GET request to perform your own custom business logic.

For example, you could use webhooks for:

Syncing data to external search engine,
Syncing data with external PIM,
Redeploying your static website when content or assets change,
Triggering email campaigns based on new content added.
Push messages into Slack.

Webhooks are environment specific. This means their configuration is applied per environment. Take this into consideration if you're working with a project using more than one environment.

#Triggers

Triggers can be configured to listen to one or more content model, stage, and action events. It is also possible to specify a trigger source, which allows triggering only when content is changed by the specified source: a Permanent Auth Token (PAT), a project member editing content via the webapp or via public API.

Trigger
Content Model	All models, including `Asset`
Stage	Draft, Published, and custom content stages
Action	Create, Update, Delete, Publish, Unpublish, and Transition Step
Source	Permanent Auth Token, Project Member, Public API

Ensure that your system is set up to respond to webhook requests as quickly as possible. As soon as Hygraph receives an HTTP 2xx status code, we process the next webhook request. This prevents any delays or failure in webhook delivery.

Note the following timeouts:

Webhook requests time out after 3000 ms (3 seconds).
The current retry policy is 4 retries on top of the initial request, that is, 5 requests in total.

We recommend that you should not set up slow operations, such as builds within the webhook.

#Receiving a webhook

Once events occur, a new webhook will be queued. It could be several minutes before a webhook is triggered, so make sure to create your application with this in mind.

Once an event occurs, data is sent as JSON in a POST, DELETE, PUT, or GET request body to the configured URL. The contents of the request always contain the operation, and data of the event.

The data object will always contain the __typename, id and stage keys.

If the webhook is configured to include entry payloads, the following keys will also be included inside the data object:

All other non-localized fields on the entry.
The id and __typename of any related entries.
An optional localizations array, containing any localized fields on the entry.

The snapshot of the current stage is only sent in the webhook body. This means that:

Create, Update, and Delete actions only send the draft version.
Publishing, and Unpublishing actions only send the published version.

#Securing webhooks

It is best to protect the endpoints which your webhooks invoke. This prevents unauthorized actions on your server, and better protects your users from any suspicious activity.

You should set a shared secret key on your webhook, which can be used to validate the request came from Hygraph.

Hygraph webhook secret key

Hygraph will send the header gcms-signature on webhooks with a shared secret key set.

A gcms-signature header value looks like this:

sign=x0jU8z7AXAARIDBgsiVyfOG000wb2HhqN/mxl6+RSMk=, env=test, t=1631270481036

#Webhooks & assets

When using webhooks with the Hygraph Asset Management System, remember that asset entry creation and asset uploads are asynchronous processes.

The asset entry is created before the upload finishes, so "create" webhooks are triggered before the upload completes. This can cause external systems to fail if they expect the asset to be available when they receive the "create" webhook.

When the asset entry is created, its status is ASSET_CREATE_PENDING. It only becomes accessible via its URL once the status changes to ASSET_UPLOAD_COMPLETE.

The webhook system sends an UPDATE action for the asset model when the upload status updates to ASSET_UPLOAD_COMPLETE.

For example:

Create webhook

Update webhook

Pro Tip

Check the data.localizations[0].upload.status information. It will be being pending on create, and when it's complete it will show an update webhook.

#Webhooks status for assets

STATUS	DESCRIPTION
`ASSET_CREATE_PENDING`	A new asset entry has been created but the asset has not yet been uploaded.
`ASSET_UPLOAD_COMPLETE`	The asset upload is complete.
`ASSET_UPDATE_PENDING`	An existing asset entry has started the update process but the new asset has not yet been uploaded.
`ASSET_ERROR_UPLOAD`	An error has occurred during asset creation & upload process.

#Validating webhook signatures

Using the gcms-signature header, you can validate the request came from Hygraph.

You'll need to generate a HMAC with the SHA256 hash function to generate a signature you can use to compare against the gcms-signature header.

#Hygraph utils

To make things easier for developers working with Node, we've released a small utility that will construct a new signature for you, with your values.

npm install @hygraph/utils

Node

You'll need the request body and headers to pass to verifyWebhookSignature.

If isValid is truthy then you can safely execute your webhook handler code knowing the request is genuine, otherwise you should abort any further action.

#Manual verification

You may also verify webhook signatures manually by generating your own signature using whatever cryptographic library can generate a SHA256 digest.

Let's break the gcms-signature header down:

sign=x0jU8z7AXAARIDBgsiVyfOG000wb2HhqN/mxl6+RSMk=, env=master, t=1631270481036

sign= is the signature
env= is the environment of the Hygraph project
t= is the timestamp of the event

#Step 1: Extract the signature and timestamp from the header

First you'll need to get the signature, and timestamp from the header so they can be used to construct a new payload. If you're using JavaScript, it could look something like this:

const [rawSign, rawEnv, rawTimestamp] = signature.split(', ');

const sign = rawSign.replace('sign=', '');
const EnvironmentName = rawEnv.replace('env=', '');
const Timestamp = parseInt(rawTimestamp.replace('t=', ''));

#Step 2: Prepare the payload string

You'll next need to create a string of the payload that will be hashed, using the request body. If you're using JavaScript, it could look something like:

let payload = JSON.stringify({
  Body: JSON.stringify(body),
  EnvironmentName,
  TimeStamp: Timestamp,
});

#Step 3: Generate the signature

Next, you'll want to generate the digest for comparison. If you're using JavaScript, it could look something like:

const { createHmac } = require('crypto');

const hash = createHmac('sha256', secret).update(payload).digest('base64');

#Step 4: Compare the signatures match!

All that's left to do is compare that the sign= value and hash match. If you're using JavaScript, this may look something like:

const isValid = sign === hash;

#Localizations with webhooks

If the webhook is configured to include entry payloads, all localized fields on the entry will be included in the webhook body under the localizations key. See the section below for some examples.

Webhook events are scoped to the entry and are not locale specific. For example, if publishing changes to an en entry localization, the webhook will still include any other localized versions of that entry in the payload.

#Example payload

Below are examples of an event on DRAFT, PUBLISHED and a custom QA stage, which include the entry payload. There is also an example without the entry payload included. Additionally, we also have an example of an event for a workflow transition step, with and without the entry payload.

In the examples below we have a Post model.

Draft

Published

Custom Stage (QA)

No payload

Workflows - With payload

Workflow - No payload

#Create a webhook

Navigate to Webhooks in the left sidebar.
Click Add in the upper right corner of the screen.
Fill out the configuration for your webhook.
Click Add to save.

#Configuration

A name for organizing and finding your webhooks
A short description to inform others what your webhook does
Toggle if you want to include the payload or not
The URL to be called
The content model(s) that will be watched
The content stage to be watched
The action to be watched
Any additional headers to pass along

#Enable / Disable webhooks

Navigate to Webhooks in the left sidebar.
Click on the pencil icon of the webhook you want to edit.
Switch the the Active toggle at the top of the screen to switch between on and off.

#Delete a webhook

Navigate to Webhooks in the left sidebar.
Click on the trash icon of the webhook you want to delete.
Confirm you want to delete the webhook.

#Webhook Logs

Hygraph stores logs for all your webhooks, which can help you debugging webhook calls and checking the returned status codes and responses from your endpoints.

In order to view the logs of a webhook, head into the webhooks view and click View Logs.

Hygraph webhook logs button

You will see a list of webhooks being sent to your specified endpoint. The logs include a timestamp, HTTP status code, the content model, the performed action and the duration of the request.

Hygraph webhook logs overview

Clicking on one of the items opens up a detail view, showing you both the request and response payload and the information from the overview. The request and response body is currently truncated at 500kb and 200kb respectively.

Hygraph webhook logs details

Webhook Logs are currently stored with a retention of 7 days.

Frequently Asked Questions

Webhooks: Features & Capabilities